mm, floppy: unkillable task faulting on fd0

mm, floppy: unkillable task faulting on fd0

[Dmitry Vyukov]

Hello,

The following program produces unkillable tasks blocked at the following stack:

[<ffffffff8184c44b>] wait_on_page_bit+0x1eb/0x2a0 mm/filemap.c:802
[<     inline     >] wait_on_page_locked ./include/linux/pagemap.h:508
[<ffffffff81862fa7>] filemap_fault+0x17c7/0x1e50 mm/filemap.c:2201
[<ffffffff819423cc>] __do_fault+0x33c/0x8a0 mm/memory.c:2864
[<     inline     >] do_read_fault mm/memory.c:3191
[<ffffffff81953521>] do_fault+0xbb1/0x28d0 mm/memory.c:3326
[<     inline     >] handle_pte_fault mm/memory.c:3527
[<     inline     >] __handle_mm_fault mm/memory.c:3614
[<ffffffff81956ddb>] handle_mm_fault+0x159b/0x2cd0 mm/memory.c:3651
[<ffffffff812fc2eb>] __do_page_fault+0x4fb/0xb60 arch/x86/mm/fault.c:1397
[<ffffffff812fcb19>] trace_do_page_fault+0x159/0x830 arch/x86/mm/fault.c:1490
[<ffffffff812eb6fc>] do_async_page_fault+0x7c/0xd0 arch/x86/kernel/kvm.c:265
[<ffffffff88148cd8>] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1015
[<ffffffff81aadf93>] getname_flags+0x113/0x580 fs/namei.c:148
[<ffffffff81aaf112>] user_path_at_empty+0x32/0x50 fs/namei.c:2556
[<     inline     >] SYSC_readlinkat fs/stat.c:327
[<     inline     >] SyS_readlinkat fs/stat.c:315
[<     inline     >] SYSC_readlink fs/stat.c:352
[<ffffffff81a8295c>] SyS_readlink+0x12c/0x3f0 fs/stat.c:349
[<ffffffff88147885>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209


Before hang kernel prints:
[  404.042351] floppy0: disk absent or changed during operation
[  404.044187] floppy0: disk absent or changed during operation
[  404.058637] floppy0: disk absent or changed during operation
[  404.060152] floppy0: do_fd_request: timeout handler died.  old
request running


On commit a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (Nov 13).

Run this program in a loop:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#include <pthread.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int fd;

void* thr(void* arg)
{
  if (rand() % 2)
    usleep(rand() % 1000);
  switch ((long)arg) {
  case 0:
    fd = syscall(__NR_open, "/dev/fd0", 0x900ul);
    break;
  case 1:
    syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);
    break;
  case 2:
    syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);
    break;
  case 3:
    syscall(__NR_readlink, 0x20009000ul, 0x20009000ul, 0x100ul);
    break;
  case 4:
    syscall(__NR_readlink, 0x20009000ul, 0x20009000ul, 0x100ul);
    break;
  }
  return 0;
}

int main()
{
  long i;
  pthread_t th[5];

  fd = syscall(__NR_open, "/dev/fd0", 0x900ul);
  syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);

  srand(getpid());
  for (i = 0; i < 5; i++)
    pthread_create(&th[i], 0, thr, (void*)i);
  for (i = 0; i < 5; i++)
    pthread_join(th[i], 0);
  return 0;
}

mm, floppy: unkillable task faulting on fd0

[Dmitry Vyukov]

Hello,

The following program produces unkillable tasks blocked at the following stack:

[<ffffffff8184c44b>] wait_on_page_bit+0x1eb/0x2a0 mm/filemap.c:802
[<     inline     >] wait_on_page_locked ./include/linux/pagemap.h:508
[<ffffffff81862fa7>] filemap_fault+0x17c7/0x1e50 mm/filemap.c:2201
[<ffffffff819423cc>] __do_fault+0x33c/0x8a0 mm/memory.c:2864
[<     inline     >] do_read_fault mm/memory.c:3191
[<ffffffff81953521>] do_fault+0xbb1/0x28d0 mm/memory.c:3326
[<     inline     >] handle_pte_fault mm/memory.c:3527
[<     inline     >] __handle_mm_fault mm/memory.c:3614
[<ffffffff81956ddb>] handle_mm_fault+0x159b/0x2cd0 mm/memory.c:3651
[<ffffffff812fc2eb>] __do_page_fault+0x4fb/0xb60 arch/x86/mm/fault.c:1397
[<ffffffff812fcb19>] trace_do_page_fault+0x159/0x830 arch/x86/mm/fault.c:1490
[<ffffffff812eb6fc>] do_async_page_fault+0x7c/0xd0 arch/x86/kernel/kvm.c:265
[<ffffffff88148cd8>] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1015
[<ffffffff81aadf93>] getname_flags+0x113/0x580 fs/namei.c:148
[<ffffffff81aaf112>] user_path_at_empty+0x32/0x50 fs/namei.c:2556
[<     inline     >] SYSC_readlinkat fs/stat.c:327
[<     inline     >] SyS_readlinkat fs/stat.c:315
[<     inline     >] SYSC_readlink fs/stat.c:352
[<ffffffff81a8295c>] SyS_readlink+0x12c/0x3f0 fs/stat.c:349
[<ffffffff88147885>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209


Before hang kernel prints:
[  404.042351] floppy0: disk absent or changed during operation
[  404.044187] floppy0: disk absent or changed during operation
[  404.058637] floppy0: disk absent or changed during operation
[  404.060152] floppy0: do_fd_request: timeout handler died.  old
request running


On commit a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (Nov 13).

Run this program in a loop:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#include <pthread.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int fd;

void* thr(void* arg)
{
  if (rand() % 2)
    usleep(rand() % 1000);
  switch ((long)arg) {
  case 0:
    fd = syscall(__NR_open, "/dev/fd0", 0x900ul);
    break;
  case 1:
    syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);
    break;
  case 2:
    syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);
    break;
  case 3:
    syscall(__NR_readlink, 0x20009000ul, 0x20009000ul, 0x100ul);
    break;
  case 4:
    syscall(__NR_readlink, 0x20009000ul, 0x20009000ul, 0x100ul);
    break;
  }
  return 0;
}

int main()
{
  long i;
  pthread_t th[5];

  fd = syscall(__NR_open, "/dev/fd0", 0x900ul);
  syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);

  srand(getpid());
  for (i = 0; i < 5; i++)
    pthread_create(&th[i], 0, thr, (void*)i);
  for (i = 0; i < 5; i++)
    pthread_join(th[i], 0);
  return 0;
}

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: mm, floppy: unkillable task faulting on fd0

[Jiri Kosina]

On Fri, 18 Nov 2016, Dmitry Vyukov wrote:

> Hello,
> 
> The following program produces unkillable tasks blocked at the following stack:

I am pretty sure this got re-introduced by f2791e7eadf4, that basically 
reverts my attempt to work around you original report (that was fixed by 
09954bad44).

We'll have to figure out other way how to fix this that doesn't break 
odd userspace asumptions about semantics of O_NDELAY on floppies.

-- 
Jiri Kosina
SUSE Labs

Re: mm, floppy: unkillable task faulting on fd0

[Jiri Kosina]

On Fri, 18 Nov 2016, Dmitry Vyukov wrote:

> Hello,
> 
> The following program produces unkillable tasks blocked at the following stack:

I am pretty sure this got re-introduced by f2791e7eadf4, that basically 
reverts my attempt to work around you original report (that was fixed by 
09954bad44).

We'll have to figure out other way how to fix this that doesn't break 
odd userspace asumptions about semantics of O_NDELAY on floppies.

-- 
Jiri Kosina
SUSE Labs

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>